* WinHex Forensic (can also perform a brute-force attack on the user's passphrase).

* WinHex Forensic (can also perform a brute-force attack on the user's passphrase).

−

== Linux ==

+

= Linux =

−

It is possible to decrypt files using [http://www.linux-ntfs.org/doku.php?id=ntfsdecrypt ntfsdecrypt] tool.

+

It is possible to decrypt files using [http://www.linux-ntfs.org/doku.php?id=ntfsdecrypt ntfsdecrypt] tool. In this case, you should get the private key first (by running ''cipher /x filename.pfx'' on a [[Windows]] system).

=Other References=

=Other References=

http://www.beginningtoseethelight.org/efsrecovery

http://www.beginningtoseethelight.org/efsrecovery

+

+

[[Category:Disk encryption]]

Latest revision as of 19:04, 29 December 2008

Windows can encrypt files on an EFS volume by file, by directory, or by the entire volume. Encryption is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates — for example, a recovery certificate belonging to the organization that owns the computer.

Contents

How it works

The first time EFS is used Windows creates a symmetric File Encryption Key (FEK). Windows then creates an RSA public/private key pair that is used to encrypt the FEK. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent".

In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.